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Abstract — We present an algorithm for list decoding codewords 
of algebraic number Held codes In polynomial time. This Is 
the first explicit procedure for decoding number field codes 
whose construction were previously described by Lenstra 1 1 1 and 
Guruswaml |2|. We rely on a new algorithm for computing the 
Hermlte normal form of the basis of an Ok -module due to Biasse 
and Fleker |3| where Ok is the ring of Integers of a number 
field K. 

I. Introduction 

Algorithms for list decoding Reed-Solomon codes, and their 
generalization the algebraic-geometric codes are now well 
understood. The codewords consist of sets of functions whose 
evaluation at a certain number of points are sent, thus allowing 
the receiver to retrieve them provided that the number of errors 
is manageable. 

The idea behind algebraic-geometric codes can be adapted 
to define algebraic codes whose messages are encoded as a 
list of residues redundant enough to allow errors during the 
transmission. The Chinese Remainder codes (CRT codes) have 
been fairly studied by the community |4|, |5|. The encoded 
messages are residues modulo N := pi,- ■ ■ ,pn of numbers 
m < K := pi ■ ■ ■ Pk where pi < p2 < • • • < Pn are prime 
numbers. They are encoded by using 



Z/pi X 
(to mod pi, • 



X Z/pn 

, TO, mod Pr, 



Decoding algorithms for CRT codes were significantly im- 
proved to reach the same level of tolerance to errors as those 
for Reed-Solomon codes (61 , fTj, |p-|. As algebraic-geometric 
codes are a generalization of Reed-Solomon codes, the idea 
arose that we could generalize the results for CRT codes to 
redundant residue codes based on number fields. Indeed, we 
can easily define an analogue of the CRT codes where a 
number field K plays the role of Q and its ring of integers 
Ok plays the role of Z. Then, for prime ideals pi, • • • ,p„ 
such that Af{pi) < • • • < A/'(p„), a message to, e Ok can be 
encoded by using 



Ok 

TO 



Ok/Pi X 
(to, mod pi, • 



• X Ok/Pu 
,m mod p„). 



The construction of good codes on number fields have been 
independantly studied by Lenstra [1] and Gurus wami 0. 
They provided indications on how to chose number fields 



having good properties for the underlying codes. In particular, 
Guruswami [2J showed the existance of asymptotically good 
number field codes, that is a family Ci of [ui, ki, di]q codes of 
increasing block length with 

liminf — > and liminf — > 0. 
rii n^ 

Neither of them could provide a decoding algorithm. In the 
concluding remarks of f2], Guruswami idendifies the applica- 
tion of the decoding paradigm of [8J, [9J, |4J to number field 
codes as an open problem. 

Contribution: The main contribution of this paper is to 
provide the first algorithm for decoding number field codes. 
We first show that a direct adaptation of an analogue of 
Coppersmith's theorem due to Cohn and Henninger ifTOl 
allows to follow the approach of Boneh [6] which does not 
allow to reach the Johnson bound. Then we adapt the decoding 
paradigm of [8, Chap. 7] to number field codes, by using 
methods for manipulating modules over the ring of integers of 
a number field recently described in |3 1 to achieve the Johson 
bound. 

Throughout this paper, we denote hy K a number field of 
degree d, of discriminant A and of ring of integers Ok ■ The 
prime ideals {p^)^<n satisfy 7V(pi) < 7V(p2) < • • • < 7V(p„), 
and we define N := Ilt<n-^iP^) ^"^ B := llt<k-^(P^) 
for integers k, n such that < fc < n. Before describing our 
algorithm in more details in the following sections, let us state 
the main result of the paper. 

Theorem 1. Let e > 0, and a message m G Ok satisfying 
1 1 TO, 1 1 < B, then there is an algorithm that returns all the 
messages ni' S Ok such that \\m'\\ < B and that c{m) and 
c{m') have mutual agreement t satisfying 



t > ^/k{n + e). 
This algorithm is polynomial in d , \og{N), 1/e and log | A|. 
II. Generalities on number fields 
Let K he a number field of degree d. It has ri < d real em- 
beddings {9i)i<ri and 2r2 complex embeddings {9i)ri<i<2r2 
(coming as r2 pairs of conjugates). The field K is isomorphic 
to Ok <E) Q where Ok denotes the ring of integers of K. We 
can embed K in 



Km 



Ki 



X C'' 



and extend the ^^'s to K^. Let T2 be the Hermitian form on 
K^ defined by 



T2{x,x'):^Y.^,{x)e,{x'), 



and let ||a;|| := yjT2{x,x) be the corresponding L2-norm. Let 
{c''i)i<d such that Ok — ®i^ai, then the discriminant of K 
is given by A = dct {T2{ai,aj)). The norm of an element 
a; e A' is defined by U{x) == Hj \()i{x)\- 

We encode our messages with prime ideals of Ok- How- 
ever, for decoding, we need a more general notion of ideal, 
namely the fractional ideals of Ok- They can be defined as 
finitely generated Oj^ -modules of K. When a fractional ideal 
is contained in Ok, we refer to it as an integral ideal. For every 
fractional ideal / of Ok, there exists r G Z such that rl is 
integral. The sum and product of two fractional ideals of Ok 
is given by 

IJ ^{Hii + --- + iiji I l<En,ii,---ii el,ji,---ji e J} 

The fractional ideals of Ok are invertible, that is for every 
fractional ideal /, there exists I^^ := {x E K \ xl C Ok} 
such that 11^^ = Ok- The set of fractional ideals is equipped 
with a norm function defined by JV{I) = det{I)/ det{OK)- 
The norm of ideals is multiplicative, and in the case of an 
integral ideal, we have Af{I) = \Ok/I\- Also note that the 
norm of x £ K is precisely the norm of the principal ideal 
(x) = xOk- 

In the following, we will study finitely generated sub Ok- 
module of OkIv]- Let M C K^ he a finitely generated Ok- 
module. As in ifTTl Chap. 1], we say that [(a^), (ai)]i<„, where 
Ui G K and Oi is a fractional ideal of K, is a pseudo-basis for 
M if M = Oitti © • • • © anttn- We also call a pseudo-matrix 
representing M the matrix of the coefficients of the {ai)i<n 
along with the ideals a^. The algorithm |3, Alg.4] returns a 
pseudo-matrix representing M where the matrix of the (ai)i<„ 
has a triangular shape in polynomial time. 

III. Decoding with Copersmith's theorem 

An analogue of Copersmith's theorem was described by 
Cohn and Henninger in 1 10|. It was used to provide an elegant 
way of decoding Reed-Solomon codes, and the possibility to 
use it for breaking lattice- based cryptosystems in Ok modules 
was considered, although they concluded that it would not 
improve the state-of-the-art algorithms. 

Theorem 2 (Coppersmith). Let f e Ok [X] a monic polyno- 
mial of degree I, < /3 < 1, Ai, • • • , A^ > and I C Ok on 
ideal. We can find in polynomial time all the uj G Ok such 
that \u}\i := |cri(i^)| < Ai and 

Af{gcd{f{uj)OK,I)>Af{lY', 

provided that the Aj satisfy JJ- Ai < (2 + o(l))"''^/W(/)'^''/'. 

Although not mentioned in f[Ui, 

tation of Theorem |2] with /? :— 



a straightforward adap- 

E.<fclogA^(P.) 



< fc < n, / := n.<„ P. and V*, A, := ^ U^<k A^(pO'/" 
provides a polynomial time algorithm for decoding number 
field codes. 

Theorem 3. Let (ri, • • • ,r„) G O^ and m G Ok satisfying 
\/i, m = ri mod pi, then Theorem\2\applied to f{uj) := u!—m 
allows to return in polynomial time a list of m' G Ok with 
\\fn'\\ < 57772 Y[i<k-^iPiy '^^' differ from m in at most e 
places where 



e < n — \ kn 



\ogjV{p„) 



log7V(pi)' 



In the rest of the paper, we present a method based on 
Guruswami's general framework for residue codes |8| that 
allows us to get rid in the dependency in °^ j\ff„") in the 
decoding bound thus reaching the Johnson bound. 

IV. Johnson-type bound for number fields codes 

A Johnson-type bound is a positive number J depending 
on the distance, the blocklength and the cardinalities of the 
Alphabets constituting the code. It garanties that a "small" 
number of codewords are in any sphere of radius J. By "small" 
number, we mean a number of codewords which is linear in the 
code blocklength and the cardinality of the code. In our case, 
the Johnson-type bound for number fields codes depends only 
on the code blocklength and its minimal distance, and "small" 
means polynomial in X^"^]^ logAf{pi)- 

The Johnson-type bound of f8 Section 7.6.1] remains valid 
for number field codes. For any prime ideal p C Ok, the 
quotient Ok/P is a finite field. Thus the i'th symbol of a 
codeword comes from an alphabet of size Af{pi) — \OK/pi\ 
and [8, Th. 7.10] can be applied. Let t be the least positive 
integer such that JlLi-^lPi) > (^) ' where d ^ [K : Q] 
and let T = n*=i-^(pO- Then, by |2, Lem. 12], the minimal 
hamming distance of the number fields code is at least n—t+1. 
Using (Sl Th. 7.10], we can show that for a given message and 
e > 0, only a "small" number of codewords satisfy 



'fli > ^/(T+e)7 



(1) 



where Oi = 1 if the codeword and the message agree 
at the j-th position, Oi — otherwise. Thus, if our list 
decoding algorithm returns all the codewords having at most 
n — y^{t + e)n errors then this number is garanteed to 
be "small". Therefore, the Johnson bound appears to be 
a good objective for our algorithm. Note that we would 
derive a different bound by using weighted distances. In 
particular, by using the log-weighted hamming distance i.e. 
d{x,y) ~ \J logA/'(pi), the condition would be 

i:x^y mod p; 



i:,<„iogA/(Pi) 



where 



Er=i a^ log AA(p,) > V(logr + £)log7V. 

V. General description of the algorithm 

In this section, we give a high-level description of our 
decoding algorithm. We follow the approach of the general 
framework described in fSl, making the arrangements required 



in our context. Our code is the set of m e Ok such 
that ||to|| < B where B = Ili<k-^iPi)- ^^ ^1^° define 
N := Y[i<n-^i^i)- ^ codeword m is encoded via 

Ok -^ Ok /Pi x • • • x Ok/Pu 
m I — > (771 mod pi, • • • , m mod p„). 

Let zi , • • • ,Zn be non-negative real numbers, and let Z he a 
parameter. In this section, as well as in SectionlVTland lVlIl we 
assume that the Zi are integers. We assume that we received 
a vector (ri,--- ,r„) G Ili^^/Pi- We wish to retrieve all 
the codewords m such that J^i '^iZi > ^ where a^ = 1 if 
TO mod pi ~ Ti and otherwise (we say that to, and (ri)i<„ 
have weighted agreement Z). 

We find the codewords m with desired weighted agreement 
by computing roots of a polynomial c G Ok [y] that satisfies 



< B 



c(to)|| < F, 



(2) 



for an appropriate bound F. We choose the polynomial c 
satisfying (|2]i in the ideal Yl^^^ "^t — ^kIv] where 

Jr ^ {a{y){y - n) + p ■ b{y) | a, 6 G OK[y] and p G p,}. 

With such a choice of a polynomial, we necessarily have 

c(to) G riiPr"'' where a^ = 1 if c(m) mod pi — ri, 
otherwise. In particular, if c{m) ^ then Af{c{m)) > 
Yii-^iVi)^^'^^- In addition, we know from the arithmetic- 
geometric inequality that ||c(?7i)|| > vdA/'(c(m))^/''. We thus 
know that if the weighted agreement satisfies 

^ a,z, logAA(p,) > -- log(d) + dlog(F), (3) 

i<n 

which in turns implies \/d(ni-^(Pi)^'''0 > F, then c{m) 
has to be zero, since otherwise it would contradict (|2]l. 

Algorithm 1 Decoding algorithm 

Require: Ok, 21, • • • , z„, B, Z,ri,--- , r„ G H^ Ok/Pi- 
Ensure: All to such that J^i'^i^i > ^■ 
1: Compute I and F. 
2: Find c G Y[i<n '^i^ — ^K [y] °f degree at most / such that 

||to|| <B^ ||c(to)|| <F. 
3: Find all roots of c and report those roots ^ such that ||^|| < 
B and J2i «i^» > Z- 



VI. Existence of the decoding polynomial 
In this section, given weights (zi)i<„, we prove the exis- 
tence of a polynomial c G Hi ^i^ ^i^^ a constant F > such 
that for all ||?ti|| < B, m € Ok, we have ||c(to,)|| < F. 
This proof is not constructive. The actual computation of this 
polynomial will be described in Section IVIll We first need to 
estimate the number of elements of Ok bounded by a given 
size. 

Lemma 1. Let F' > and < 7 < 1, then the number of 
X G Ok such that \\x\\ < F' is at least 

^d/2pld 



2ri+r2-l+7y|A|r(d/2) 



Proof: As in |12, Chap. 5], we use the standard results of 
Minkowski theory for our purposes. More precisely, there is 
an isomorphism / : K^ — > R'-i+2r2 ^jj^j ^ scalar product 

transfering the canonical measure from K^ to R''i+^'"2. Let 
A = /{Ok), X -.^ {x e Km \ \\x\\ < F'}, and 
TO, G N. We know from Minkowski's lattice point theorem 
that if Vol(X) > TO2'^det(A), then #(/(x) n A) >_ 
Vol(X) = 2'-^ {2n'^/^F"^/T{d/2)) and det(A) 
have the desired result. ■ 

Then, we must derive from Lemma [1] an analogue of fS] 
Lemma 7.6] in our context. This lemma allows us to estimate 
the number of polynomials of degree / satisfying (|2|i. To 
simplify the expressions, we use the following notation in the 
rest of the paper 

T,d/2 
ad,A:7 •= ^ I, 9_i_ 



,n+r2-l+7^|A|r(d/2) 

Lemma 2. For positive integers B,F', the number of poly- 
nomials c G Ok [y] of degree at most I satisfying ^ is at 
least 



ctd.An 



F' 



i+i 



{I + 1)BV2 



Proof: Let c{y) = co+ciy+- ■ ■+ciy''. We want the q's to 
satisfy ||ciTO*|| < F' /{I + 1) whenever ||to|| < B. This is the 
case when ||ci|| < F' /{B^{1 + 1)). By Lemmafl] there are at 
least ad, A. 7 {F' /{{I + 1)-B*)) possibilities for Ci. Therefore, 
the number of polynomials c satisfying dU is at least 

<--''" ((m)"n-f 

which finishes the proof. ■ 

Now that we know how to estimate the number of c G 
C'i<-[y] or degree at most I satisfying ^, we need to find a 
lower bound on F to ensure that we can find such a polynomial 
in Y\^ J^^ . The following lemma is an equivalent of |[8] Lemma 
7.7]. 

Lemma 3. Let l,B,F be positive integers, there exists c G 
Yli Ji^ satisfying (|2|l provided that 



F > 2{l + l)B'^^- 



Ka,7)^/'' 

Proof: Let us apply Lemma |2] to F' 



n-^(p^)^^'"^ 



(4) 



least 



ad,A,7 



F/2 



F/2. There are at 
i+i 



(? + l)SV2^ 



polynomial c G OkIv] satisfying |Jto,|| < B ^ ||c(to,)|| < 
F/2. In addition, we know from ||8] Corollary 7.5] that 

U^\^iP^)\^''''^ > |OK[y]/n»^ri' Which implies that if© 
is satisfied, then necessarily 

F/2 



ad,A,7 



(+1 



(/ + l)B'/2 



> 



OK[y]/Y[Jt 



This means that there are at least two distinct polynomials 
ci,C2 e CkM of degree at most I such that (ci — C2) G 
Yl^Jt and ||ci(m)||, ||c2(m)|| < F/2 whenever ||to|| < B. 
The choice of c :— ci — C2 finishes the proof. ■ 



VII. Computation of the decoding polynomial 



Let Z > be an integer to be determined later To compute 
c e Y\i Jt °f degree at most I satisfying (|2]i, we need to find 
a short pseudo-basis of the sub Ox -module M n Yii Ji' of 
ii^'+i where A/ is the Oj^-module of the elements of OkIh] 
of degree at most I embedded in K''^^ via ^^ qj/' — ?► (q). We 
first compute a peudo-generating set for each MC\Jp , then we 
compute a pseudo-basis for their intersection, and we finally 
call the algorithm of iflBI to produce a short peudo-basis of 
M n Jlj Jj^' from which we derive c. 

An algorithm for computing a pseudo-basis of the intersec- 
tion of two modules given by their pseudo basis is described 
by Cohen in IfTTl 1.5.2]. It relies on the HNF algorithm for 
Ox-modules. The HNF algorithm presented in 1.11. 1.4] is 
not polynomial, but a variant recently presented in ||3] enjoys 
this property. We can therefore apply fTT 1.5.2] with the HNF 
of |3 1 successively for each pseudo-basis of A/n J/' to produce 
a pseudo-basis of M n Y\^ J^^ . 



Algorithm 2 Computation of the decoding polynomial 

Require: {pi,Zi)i<n, I, N, B, F such that 3c e Hi ■^^ of 

degree at most I satisfying (|2]i for F, and the encoded 

message (ri, • • • , r„) G J]* C>k /pi- 
Ensure: c e Yii Jt satisfying Q for F' = 

2fV^TT(22+'i(6+3'*)d3|A|2+iiJi7^ of degree at 

most I. 



for i < n do 



Zi <— niin(zi, /). 

For < j < Zi. a) ^ pT~\ a) ^ {y - nY ■ 
For 1 < j < / - zf. a] ^ Ok, a] ^ yi{y - r.Y'. 
Let ((ftj), (a*)j</+i) be a pseudo matrix for Mn J^' . 
end for 
7: Compute a pseudo-basis [(q), (ci)]i<;+i of Mi — MO 

8: Deduce a pseudo basis [{di), (t'i)]i<;+i of the module Af2 
given by 

{vQ,vi,--- ,vi)eMi-i=^ {vo,vvB,--- ,viiBy)eM2. 



VIII. Good weight settings 

To derive our main result, we need to consider weights Zi > 
in R rather than Z. Let 



I3± 



A, 7 



^3~|23(l+''(2+rf))|A|2+M 



ad,A,7 "^ 



then by combining ([3]|, dUi and Algorithm |2] we know that 
given (n, • • • , r„) G n,<„ Ok/Pu I > 0, B ^ U,<k^iP^) 
and integer weights z, > 0, Algorithm|2]returns a polynomial c 
of degree at most I such that all m G Ok satisfying ||to|| < B 
and 

^ a,z, log AA(p,) > L log(2'*'i?'^) + ^ \og{l + 1) 



i<7l 



■i<n 



z, + l 
2 



logAA(pO+log/3d,A.7, (5) 



(where a^ = 1 if m mod p,; = r^, otherwise) are roots of c. 
In the following, we no longer assume the Zi to be integers. 
However, we will use our previous results with the integer 
weights z* :— \Azi\ for a sufficently large integer A to be 
determined. 

Proposition 1. Let e > 0, non-negative reals Zi, B = 

Y\i<:k-N'{pi), and an encoded message (ri,--- ,r„) G 
rii ^K /pi, then our algorithm finds all the ni G Ok such 
that II mil < B and 



y~^atZtlogA/"(pO > 



\ 



\og(2<i^B'^) J2 ^? log-^(PO + «^a. 



vv/zere a^ = 1 ;/ ?7i mod pi = r.;, otherwise. 

Proof: Note that we can assume without loss of generality 
that Zmax = 1- Let z* — \Azi\ for a sufficently large integer 
A, which thus satisfies Azi < z* < Azi + 1. The decoding 
condition (|5j is met whenever 

^ a,z. log AA(p,;) > -^ log(2'^^i?'^) + 1^ log(Z + 1) 



i<n 



A 



2(r 



lyS 



^' + ^^^ + ^ ) logA^(P» 



+ ^l0g/3d,A,7- 



(6) 



9: Let [(5i), (fai)]i<;+i be a short peudo-basis of A/2 obtained 

with the reduction algorithm of ifTSJI . 
10: Let a:i,a;2 be a short basis of bi obtained with lfT3l Th. 

3]. 
11: return c G A/i corresponding to xibi G Af2- 



Let Zi := 



2 



+ ^Zi + -^ fox i <n and 



/ := 



A^ 



T,<„^aogAA(p, 



1. 



log(2'^'B'') 
We assume that A > log(2'' B"^), which ensures that / > 0. 



For this choice of I, condition (|6|l is satisfied whenever 



IX. Conclusion 



2^ a^z, logAA(p,) >— log Ad — - ..,„„,,. + 1 



log(2'^'B'^) 



\ 



log(2''"B"') K^ZilogAf(Pi) 



I i<n 



^l0g/3d,A,7- 



(7) 



Assume that A > MbkH and A > '°l^At'\ then for N large 



enough, the right side of (|7]i is at most 



log TV 



o 



< 



log log N 
logN 



\ 



log(21"B'')|^2?logAf(p,) + 5 

i<7i 



\ 



tog{2-''B-')\J2^f'<'ll.Wf,} 



L i<n 



The degree Z of our decoding polynomial c is therefore 
polynomial in log A^, -, d and log |A|. By fTT, 2.3], we know 
that the complexity to find the roots of c is polynomial in d, 
I and in the logarithm of the height of c, which we already 
proved to be polynomial in the desired values. 

■ 

Corollary 1. Let e > 0, k < n and prime ideals 
pi,---p„ satisfying ^f{p^) < A/'(pj+i) and \ogAf{pk+i) > 
niax(2(ifclogA/'(pfc), 2d^), then with the previous notations, 
our algorithm finds a list of all codewords which agree with 
a received word in t places provided t > \/k{n + e). 

Proof: The proof is similar to the one of Is] Th. 7.14]. 
The main difference is that we define S := k — . ^r/„ — r 

logA/(pfc + i) 

which satisfies S > since by assumption \ogf\f{pk+i) > 
max(2(ifclogA/'(pfe), 2(i^). We apply Proposition [T] with z^ = 
1/ logA/'(pi) for i > k+1, Zi = 1/ \ogN{pk+i) for i < k, and 
e = e/ \ogAf{pk+i)- It allows us to retrieve the codewords 
whose number of agreements t is at least 



log{2'i'B'i) ( log(B) ^ y A/'(pfc+i) , ,, 



^ logJ\f{Pk+i) \logJ\f{pk+i) ^^^ logA/'(p,) 
<S + 



log{2'''B'') ( \og{2-i^ B-i) ^ " M{Pk+i) ^ , 



\^ \0gj\f{pk+l) \\0gM{pk+l) ^^^^^XogNipr 



This condition is met whenever t > (5 + ■\/(fc — 5){n — 5 + e). 
From the Cauchy-Schwartz inequality, we notice that 



yJk{n + £) > y/{k-S){n-S + e), 

which proves that our decoding algorithm works when t > 

y^k{n + e). m 



We presented the first method for list decoding number field 
codes. A straightforward application of Theorem |2] allows to 
derive a decoding algorithm in polynomial time. However, 
we cannot achieve the Johnson bound with this method. To 
solve this problem, we described an analogue of the CRT list 
decoding algorithm for codes based on number fields. This is 
the first algorithm allowing list decoding of number field codes 
up to the Johnson bound. We followed the approach of fS] 
Ch. 7] that provides a general frameworks for list decoding of 
algebraic codes, along with its application to CRT codes. The 
modifications to make this strategy efficient in the context of 
number fields are substantial. We needed to refer to the theory 
of modules over a Dedekind domain, and carefully analyse the 
process of intersecting them, as well as finding short elements. 
We proved that our algorithm is polynomial in the size of the 
input, that is in d, \og{N), log|A| and -. 
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